System for dynamically implementing firewall exceptions

ABSTRACT

A system for dynamically implementing exceptions in an onboard network firewall has a client application interface receptive to a data link request from a client device. An onboard connectivity manager includes a firewall interface connected to the onboard network firewall to request the exceptions in response to a connection authorization, and a client presence manager receptive to the data link request relayed by the client application interface from the client device. A presence state for the client devices is activated and maintained following the data link request. A remote connectivity manager is connected to a remote application service and is in communication with the onboard connectivity manager. The remote connectivity manager generates a connection authorization based upon an evaluation of the presence state for the client device against the conditions set by the remote application service.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No. 14/932,159, filed Nov. 4, 2015, entitled “SYSTEM FOR DYNAMICALLY IMPLEMENTING FIREWALL EXCEPTIONS,” the entirety of the disclosure of which is incorporated by reference herein for all purposes. Priority to the foregoing application is hereby expressly claimed.

STATEMENT RE: FEDERALLY SPONSORED RESEARCH/DEVELOPMENT

Not Applicable

BACKGROUND 1. Technical Field

The present disclosure relates generally to data communications, and more particularly, to systems for dynamically implementing network firewall exceptions in providing data communications services on board aircraft and other vehicles.

2. Related Art

Air travel typically involves journeys over extended distances that at the very least take several hours to complete. Some of the longer non-stop international flights have scheduled durations of over sixteen hours with travel distances extending beyond ten thousand miles. Passengers on board the aircraft are confined within an enclosed space of a designated seat for the entire duration of the flight, with only a few limited opportunities to leave the seat for use of the lavatory and so forth. Thus, even on the shortest trips an airline passenger has some idle time, which the passenger may occupy with work, leisure, and/or rest.

Airlines thus provide on-board in-flight entertainment (IFE) systems that offer a wide variety of multimedia content for passenger enjoyment. Recently released movies are a popular viewing choice, as are television shows such as news programs, situation and stand-up comedies, documentaries, and so on. Useful information about the destination such as airport disembarking procedures, immigration and custom procedures and the like are also frequently presented. Audio-only programming is also available, typically comprised of playlists of songs fitting into a common theme or genre. Likewise, video-only content such as flight progress mapping, flight status displays, and so forth are available. Many in-flight entertainment systems also include video games that may be played by the passenger.

Although cabin-installed IFE systems remain a popular choice for passengers, an increasing number are choosing to bring on board their own portable electronic devices (PEDs) such as smart phones, media players, electronic readers, tablets, laptop computers, and so forth. These devices are typically loaded with music, video, games, and other multimedia content of the user's choosing, though such devices mostly fill the same role as IFE systems—to keep the user entertained and otherwise occupied during the flight.

However, there is also a demand on the part of some passengers to put PEDs to more productive uses, which typically require access to the Internet. For instance, PEDs may have installed thereon various e-mail and instant messaging client applications, stock trading applications, banking applications, file sharing applications, cloud-based notetaking applications, and countless other productivity software. Furthermore, there may be dedicated applications that have functions that are particularly useful during travel, such as trip and connecting flight/departure gate tracking. Also popular are applications that are not necessarily productivity-related but still require Internet access, such as sports score updates, text-based news, and so forth.

Internet access on flights is typically provided via an onboard WiFi network, to which the PEDs connect. In this regard, there may be several WiFi access points located throughout the cabin, each of which are connected to a satellite uplink module that is in communication with a satellite. The satellite, in turn, may be in communication with a ground station that is connected to the Internet.

As the bandwidth of the satellite downlink is limited as it is costly to the airline, Internet connectivity may be provided only to paying customers. One model is a subscription-based model, where a flat fee is paid for monthly access periods. Such plans may be more suitable for frequent travelers. Alternatively, short term access on a per-flight, daily, hourly, or other time limited basis in exchange for the payment of a lower fee is possible, although typically at a higher monetary rate per unit of time.

In some IFE implementations, a PED can connect to the WiFi network without accessing the satellite-based Internet link. One application is the retrieval of multimedia content and related data (such as digital rights management keys needed for playback) from an onboard content server for consumption during flight via the PED. Along these lines, it may be necessary for the PED to access a login webpage on the local network, through which payment for the Internet access can be submitted, along with inputting an acceptance of the airline's and the datalink provider's terms and conditions, and so on, prior to being permitted access to the Internet.

Accordingly, the WiFi access point may cooperate with a firewall that selectively restricts and permits access to the Internet from specific PEDs in accordance with the payment of the access/subscription fee. For instance, the firewall may begin a countdown timer for a particular PED to be allowed access to the Internet, e.g., data transmissions to and from the PED are permitted, for a predetermined duration, and upon expiration of the timer, preventing further data transmissions to and from the PED.

Presently, all of the aforementioned PED applications are developed around the assumption that Internet access is, or will be available, with the choice of how that access is to be obtained being left to the user and underlying service providers. When Internet access is unavailable, any functionality that involves updating or refreshing data ceases, with only the pre-stored data being presented. In order to maximize the value of purchasing Internet access for such a limited duration, customers would need to consider the other possible applications on the PED that would need such access, and balance the benefits of obtaining data or information therefrom with the access costs. Oftentimes this cost-benefit calculus results in the passenger simply not using these applications during flight, and relegating the PEDs to basic consumption devices for pre-stored content. Even at the lowest price points, passengers typically do not pay for connectivity unless reimbursement from employers and the like is possible.

From the perspective of the application providers, there may be a multitude of returns with every instance of application use, particularly with captive audiences such as passengers on an airline flight. For example, in a shopping application, each purchase may net the application provider a percentage of the sale price. A more indirect example is a connecting gate checking application, where being able to access status information on demand engenders confidence and loyalty to an extent where future, paid upgrades to the application are more likely to be purchased, and other such intangible returns.

The use of whitelists installed on the onboard firewall, with application providers paying a fee to be included thereon is one possibility for restricting Internet access to certain sites. However, there are several limitations with such an approach. Typical Internet services refer to secondary domains or Uniform Resource Locators (URLs) to provide content and/or services, and in turn, those secondary URLs may refer to further tertiary URLs. Maintaining such a whitelist is challenging, as the relationships between the primary URL and the secondary URLs, and the relationships between the secondary URLs and tertiary URLs constantly evolve, and must be recorded in the whitelist. From the discovery of broken URLs, suggesting updates, and applying those updates to the whitelists is a cumbersome multi-step process. Generally, whitelist implementations have significant runaway cost risk, particularly over many flights and many use cases. Billing application service providers on a per-application basis may not be possible, because tracking traffic to secondary URLs shared by several applications may not be possible.

Accordingly, there is a need in the art for extending the use of Internet-based applications on PEDs on flights that do not depend on the passenger or customer purchasing Internet access. There is also a need in the art for improved application-specific control over onboard firewalls instead of broad and imprecise access definitions such as whitelists that are difficult to maintain.

BRIEF SUMMARY

The present disclosure is directed to enabling any Internet-based application installed on PEDs to selectively activate in-flight Internet connectivity, and offloading costs to the application provider instead of requiring the passenger to purchase access. According to various embodiments, the application provider makes a real-time decision to open the onboard firewall, and excludes the passenger from the decision-making to purchase Internet access. It is expressly contemplated that the passenger need not be alerted to the bandwidth/access costs. Thus, the application provider can selectively enable Internet traffic to and from the aircraft, for which they are willing to pay.

One embodiment of the present disclosure is a system for dynamically implementing exceptions in an onboard network and/or ground network firewall(s) for one or more client devices on a data communications network on an aircraft to connect to a remote network node over a satellite communications link. The connections are authorized by a remote application service. There may be a client application interface that is receptive to a data link request from the one or more client devices. Additionally, there may be an onboard connectivity manager that may include a firewall interface and a client presence manager. The firewall interface may be connected to the onboard network firewall to request the exceptions upon sensing application traffic from the client device. A presence state for the one or more client devices may be activated and maintained following the data link request. The system may further include a remote connectivity manager that is connected to the remote application service and in communication with the onboard connectivity manager. The remote connectivity manager can generate the connection authorization based upon an evaluation of the presence state for the one or more client devices against one or more conditions set by the remote application service.

In another embodiment, API integration between the client and client presence manager may not be necessary. The application provider may selectively authorize connectivity to its Internet presence from all client devices onboard a specific flight during a specific window thereof. The connectivity manager may enable connectivity to specific applications that may be unmodified and are commercial, off-the-shelf (COTS). Instead of the passenger invoking an application to trigger the logic to enable Internet connectivity, the onboard system may utilize a Bluetooth Low Energy (BLE) beacon notification in order to proactively alert client devices as to the availability of Internet connectivity, as authorized.

Another embodiment of the present disclosure is a system for auctioning connectivity rights to the highest bidder within a group of application providers. In this embodiment the application providers not only reimburse the airline for satellite communication bandwidth consumption costs incurred during the passenger's use of their application, but they also pay the airline a fee for the privilege to enable those passengers' use of their application.

The present disclosure will be best understood by reference to the following detailed description when read in conjunction with the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

These and other features and advantages of the various embodiments disclosed herein will be better understood with respect to the following description and drawings, in which like numbers refer to like parts throughout, and in which:

FIG. 1 is a diagram illustrating an environment in which the present system for dynamically implementing firewall exceptions may be deployed in accordance with various embodiments;

FIG. 2 is a block diagram of the various components of an API based system for dynamically implementing firewall exceptions;

FIG. 3A is a data communications sequence diagram showing the pertinent components of the API based system along with typical data transmission interactions between such components;

FIG. 3B is a data communications sequence diagram showing the interactions of a firewall system without need for client API integration;

FIG. 4A is a block diagram showing an overview of an exemplary implementation of the system in which a passenger personal electronic device (PED) has seamless connectivity to the Internet across various networks;

FIG. 4B is a block diagram showing another exemplary implementation of the system that further incorporates a seatback client; and

FIG. 5 is a block diagram of an embodiment of the system with an additional level of refinement with respect to allowing or denying access to an upstream network connection based upon passenger profiles and a bidding engine.

DETAILED DESCRIPTION

The detailed description set forth below in connection with the appended drawings is intended as a description of the several presently contemplated embodiments of a system for dynamically implementing firewall restrictions. This description is not intended to represent the only form in which the embodiments of the disclosed invention may be developed or utilized. The description sets forth the functions and features in connection with the illustrated embodiments. It is to be understood, however, that the same or equivalent functions may be accomplished by different embodiments that are also intended to be encompassed within the scope of the present disclosure. It is further understood that the use of relational terms such as first and second and the like are used solely to distinguish one from another entity without necessarily requiring or implying any actual such relationship or order between such entities.

FIG. 1 is a simplified diagram of an aircraft 10, generally referred to herein as a vehicle, along with select subsystems and components thereof that are utilized in connection with the embodiments of the present disclosure. Within a fuselage 12 of the aircraft 10, there may be seats 14 arranged over multiple rows 16, with each seat 14 accommodating a single passenger. Although the features of the present disclosure will be described in the context of the aircraft 10 this is by way of example only and not of limitation. The presently disclosed system for dynamically implementing firewall exceptions may be utilized in any other context as appropriate.

One or more passengers may utilize a portable electronic device (PED) 18 during flight. The present disclosure generally contemplates, in accordance with one embodiment, the use of such PEDs 18 in a manner to which the user is accustomed while on the ground, e.g., with data connectivity. For purposes of the present disclosure, PEDs 18 refer to smart phones, tablet computers, laptop computers, and other like devices that include a general purpose data processor that executes pre-programmed instructions to generate various outputs on a display, with inputs controlling the execution of the instructions. Although these devices are most often brought on board the aircraft 10 by the passengers themselves, carriers may also offer them to the passengers for temporary use.

The aircraft 10 incorporates an in-flight entertainment and communications (IFEC) system 20 that, among other functions, provides such connectivity. In further detail, the IFEC system 20 includes a data communications module 22. Almost all conventional PEDs 18 have a WLAN (WiFi) module, so the data communications module 22 of the IFEC system 20 includes a WLAN access point 22 a. The PED 18, via the onboard WLAN network, may connect to the IFEC system 20 to access various services offered thereon such as content downloading/viewing, shopping, and so forth.

The IFEC system 20 may also offer Internet access to the connecting PEDs 18. One contemplated modality that operates with the IFEC system 20 is a satellite module 24 that establishes a data uplink 26 to a communications satellite 28. According to one exemplary embodiment, the data uplink 26 may be Ku-band microwave transmissions. However, any suitable communications satellite 28, such as Inmarsat or Iridium may also be utilized without departing from the present disclosure. The data transmitted to the communications satellite 28 is relayed to a satellite communications service provider 30. A data downlink 32 is established between the communications satellite 28 and the satellite communications service provider 30 that, in turn, includes a network gateway 34 with a connection to the Internet 36. As will be recognized by those having ordinary skill in the art, there are numerous servers that are accessible via the Internet 36, though in the various embodiments of the present disclosure, the PED 18 connects to a particular application server 38 to access services thereon. In another embodiment, the aircraft 10 can be equipped with a cellular modem instead of, or in addition to the satellite module 24 for remote connectivity.

The PED 18 is understood to connect to the IFEC system 20 via the WLAN access point 22 a, which relays the data transmissions to the satellite module 24. The data is transmitted to the communications satellite 28 over the data uplink 26, and the satellite relays the data to the satellite communications service provider 30 over the data downlink 32. The network gateway 34 then routes the transmission to the Internet 36, and eventually to the application server 38. Data transmissions from the application server 38 to the PED 18 are understood to follow a reverse course. Due to the high costs associated with the communications satellite 28 that is passed to the users of the data uplink 26 and the data downlink 32, the airlines may limit data traffic to and from the satellite module 24 with a firewall 40.

It is understood that the firewall 40 may be any conventional network appliance that includes a downstream network connection to the data communications module 22 that establishes the onboard local area network, as well as an upstream network connection to the satellite module 24. The firewall 40 may selectively block or permit specific devices connecting thereto via the onboard local area network from accessing the upstream network connection, e.g., the satellite module 24 depending on certain administratively defined conditions. For example, a rule/exception may be set for allowing traffic between a particular PED 18 that has paid a subscription fee, while restricting other PEDs 18 that have not subscribed. Furthermore, certain network node destinations may be blocked as inappropriate to access on a public network. These rules/exceptions may be activated for a set duration, such as, for example, when the user purchases an hour of access, access for the entirety of the flight, and so forth. Those having ordinary skill in the art will recognize that numerous other rules/exceptions for upstream data traffic may be set by defining such rules/exceptions in accordance with the syntax specific to the firewall 40. In this regard, although the syntax may differ depending on the specific implementation of the firewall 40, the logic of the rules/exceptions are understood to be applicable regardless of implementation. Therefore, to the extent such rules/exceptions are described in accordance with syntax specific to a given firewall 40, it is to be understood that this is by way of example only and not of limitation.

Another possible way in which the passenger can utilize the services offered through the IFEC system 20 are the individual seat-back modules that are typically comprised of a terminal unit 42, a display 44, an audio output 46, and a remote controller 48. For a given row 16 of seats 14, the terminal unit 42 and the audio output 46 are disposed on the seat 14 for which it is provided, but the display 44 and the remote controller 48 may be disposed on the row 16 in front of the seat 14 to which it is provided. That is, the display 44 and the remote controller 48 are installed on the seatback of the row in front of the seat. This is by way of example only, and other display 44 and remote controller 48 mounting and access configurations such as a retractable arm or the like mounted to an armrest of the seat 14 or by mounting on a bulkhead.

The display 44 is understood to be a conventional liquid crystal display (LCD) screen or other type with a low profile that is suitable for installation on the seatback. Each passenger can utilize an individual headset 50, supplied by either the airline or by the passenger, which provides a more private listening experience. In the illustrated embodiment, the audio output 46 is a headphone jack that is a standard ring/tip/sleeve socket. The headphone jack may be disposed in proximity to the display 44 or on the armrest of the seat 14 as shown. The headphone jack may be an active type with noise canceling and including two or three sockets or a standard audio output without noise canceling. In alternate embodiments, each display 44 may incorporate a terminal unit 42 to form a display unit referred to in the art as a smart monitor.

A common use for the terminal unit 42 installed on the aircraft is the playback of various multimedia content. The terminal unit 42 may be implemented with a general-purpose data processor that decodes the data files corresponding to the multimedia content and generates video and audio signals for the display 44 and the audio output 46, respectively. The multimedia content data files may be stored in one or more repositories associated with the IFEC system 20, and each of the terminal units 42 for each seat 14 may be connected thereto over a wired local area network 52, which may preferably be Ethernet. In addition to the aforementioned data communications module 22 that includes the access point for PEDs 18, there is an Ethernet data communications module 22 b. More particularly, the Ethernet data communications module 22 b is understood to be an Ethernet switch or a router.

Under the most common usage scenarios, the terminal units 42 initiate a request for multimedia content to the IFEC system 20, where such content is stored. The data is transmitted to requesting terminal unit 42 over the wired local area network 52, and most data traffic thus remains local. However, there are several additional applications contemplated that may rely upon a connection to the Internet 36, in which case the data is passed to the satellite module 24 so long as permission has been granted therefor by the firewall 40 in the same manner as described above in relation to the WLAN network and the request originating from the PED 18. The present disclosure, which is in part directed to implementing rules/exceptions of the firewall 40, is understood to be suitable for regulating data traffic from the aircraft-installed terminal units 42 in addition to the PEDs 18 as noted earlier.

With reference to the block diagram of FIG. 2, according to various embodiments, one or more client applications 54 are installed on the PED 18. In the context of the present disclosure, the presentation of information or other interactivity to the user of the PED 18 by way of the client application 54 is understood to involve the retrieval of data from a remote source such as the application server 38 that is connected to the Internet 36.

Rather than the user of the PED 18 paying for the privilege to access the upstream network connection, e.g., the satellite module 24, the application server 38 may instead offer to subsidize the costs of the satellite Internet connection so that the client application 54 may be utilized in the intended manner. The conditions under which the user of the PED 18 is permitted to access the satellite module 24 to transact with the application server 38 or any other node external to the onboard network may be set by the application server 38, and the authorization to allow the data traffic to and from the PED 18 is understood to originate from the same. The authorization procedure may remain hidden from the user of the PED 18, in that the user is not prompted with requests to allow charges for the access, or even made aware that there may be a cost associated with access. Thus, it is envisioned that the client application 54 functions seamlessly between inflight Internet connections and conventional Internet connectivity available on the ground, such as public/private/commercial WiFi networks, cellular networks, and so on.

When the typical client application 54 attempts to perform a function that requires connecting to a remote service such as the application server 38, a lower level data communications protocol stack that is part of the PED 18 is called, and the details of establishing the link may be abstracted out with respect to the main functions of the client application 54. When the protocol stack attempts to establish the link over the onboard network, however, the aforementioned firewall 40, also referred to herein more generally as an access controller, may limit such a connection attempt, either as exceeding the authorization for that particular PED 18, or as a non-existent upstream network node (or both). In this regard, as shown in FIG. 3A, a step in securing an authorization to open the data uplink 26 to the particular PED 18 may begin with the client application 54 making the request with its native protocols, per a sequence step 1000.

The PED 18 also has installed thereon a connectivity application programming interface (API) 56 that may be called by the client application 54 in an attempt to establish an alternative network connection to the Internet 36, and specifically to the application server 38. This may take place in a sequence step 1002, where the request is generated by the client application 54 to the API 56. In response, in a sequence step 1004, the API 56 may report back details pertaining to the current flight. This includes such information as the airline on which the user of the PED 18 is currently flying, the flight number of the flight on which the user of the PED 18 is currently flying, the destination of such flight, the origin/departure point of such flight, the anticipated arrival time of such flight, and the departure time of such flight. Additionally, the satellite uplink connectivity status may be reported, as well as the current beam load of the data uplink 26 and/or the data downlink 32. With the returned flight detail data, the client application 54, either directly or through the API 56, completes a registration process with an onboard connectivity manager 58 in accordance with a sequence step 1006. By this registration process, the assigned Internet Protocol address, and other details pertaining to the PED 18 may be recorded.

Periodically, throughout the flight, the API 56 may update the flight detail data per sequence step 1008. The client application 54 remains in communication with the onboard connectivity manager 58 to provide a presence state 59 with respect to the PED 18. The presence state 59 is understood to encompass the aforementioned flight detail data, as well as other data that pertains to the user or the PED 18, such as the onboard network address assignment. In one embodiment, the presence state 59 may be shared with the eXtensible Messaging and Presence Protocol (XMPP). As indicated above, it is possible for the passenger to prepay for Internet connectivity, and because it will not be necessary for the application server 38 to specifically authorize the firewall 40 to permit access to the satellite module 24, the presence state 59 may also include subscriber status data.

The presence state 59 of the PED 18 is transmitted from the client application 54, either directly or through the API 56, to the onboard connectivity manager 58 in a sequence step 1010 a. From the onboard connectivity manager 58, other presence states of the PEDs 18 also on the aircraft local network are aggregated, and transmitted to a remote connectivity manager 60 in a sequence step 1010 b. Because the costs for transmitting the presence state 59 may not be assignable to a particular application server 38, it may be absorbed by the airline. The aggregation of multiple presence states in a single transmission is contemplated to minimize this cost burden.

The onboard connectivity manager 58 is generally comprised of a client presence manager 62, and the foregoing functionality of maintaining, aggregating, and transmitting the presence state 59 is understood to be performed thereby. Additionally, the onboard connectivity manager 58 includes a firewall interface 64, the details of which will be described more fully below. As referenced herein, the client presence manager 62 and the firewall interface 64 are understood to be implemented as persistently active software modules or components on the IFEC system 20 that accepts inputs, processes those inputs, and generates an output in response. Based on the functions described herein, those having ordinary skill in the art will recognize a variety of ways in which such software could be written. The logical segregation between the client presence manager 62 and the firewall interface 64 is presented by way of example only and not of limitation, and any other suitable separation of functions into different logical units may be utilized without departing from the present disclosure.

Upon storage of the presence states in the remote connectivity manager 60, the application server 38 has access thereto. Certain conditions set by the application server 38 are understood to govern the granting or denial of access to the satellite module 24 by the PED 18. In further detail, the identification of the airline in the presence state 59 may be used to determine if there are any promotions or agreements that govern the granting of Internet access. Furthermore, flight number, departure location, destination location may help the provider target specific demographics, or limit access to the application server 38 to certain locations. A phase of the flight (beginning, middle or end) may help focus the offerings that would be of most interest to passengers at such time. Along these lines, the remaining flight duration and the connectivity window may help determine whether or not granting access would be beneficial to the provider. For example, if average interaction periods with an application or service were fifteen minutes, but only five minutes remained before the start of landing procedures, paying for access to the Internet for the user to be engaged for that duration would not be worthwhile. The jurisdiction or country of the airspace in which the aircraft is flying may be useful to allow access to content or services that are legal therein. The number of other PEDs 18 on the onboard network may indicate the potential volume, and the listing of PEDs 18 with active Internet access subscriptions may indicate necessity. Furthermore, the beam load, i.e., the amount of traffic on the data uplink 26 and the data downlink 32 can alter the cost of access, so the application or service provider may consider the maximum cost that is intended to be subsidized.

In one example use case, a game development company that relies on in-app purchases may be open to paying connectivity costs so long as in the aggregate, it makes more from purchases than the losses associated with such costs. A similar application is an online gambling company that may be open to pay connectivity costs based upon the expectation that the user will lose more money gambling than the company loses with the costs.

The access grants/denials are understood to be implemented as exceptions to the general restrictions set on the firewall 40. In order for the application server 38 to grant or deny Internet access remotely in the manner contemplated, a registration procedure with the remote connectivity manager 60 is contemplated, in accordance with a sequence step 1100. The identity of the client application 54 that cooperates with the application server 38 is associated thereto, so that connection requests originating from the client application 54 can be directed to the particular application server 38 with which the client application 54 interacts.

The presence state 59 of the client application 54 relayed to the remote connectivity manager 60 is also transmitted to the application server 38 in accordance with a sequence step 1010 c. The application server 38, in turn, evaluates the presence state 59 to determine whether the instance of the client application 54 running on a particular PED 18 to which the presence state 59 pertains, should be permitted access to the satellite module 24 in order to transact with the application server 38. It is understood that while the application server 38 may be in persistent contact with the remote connectivity manager 60 to evaluate each update to the presence state 59, this is optional. A definition of the conditions under which connectivity is to be granted may be pre-loaded on to the remote connectivity manager 60, so that the processing and communication burdens may be passed thereto.

The authorization to set the exception for the firewall 40 may originate from the application server 38 in accordance with a sequence step 1200 a, and transmitted to the remote connectivity manager 60. According to one embodiment of the present disclosure, the authorization may be in the form of an XEM-0500 message that requests a sideband channel. This authorization is relayed by the remote connectivity manager 60 to the onboard connectivity manager 58 in accordance with a sequence step 1200 b. The firewall interface 64 of the onboard connectivity manager 58 sets an exception on the access controller or firewall 40 that grants traffic to and from the designated client application 54/PED 18 to access the satellite module 24 for establishing a data communications link to the application server 38. The exception may be specified in terms of the permitted destination address and port of the application server 38 in the case of outgoing data, and the permitted source address and port of the application server 38 in the case of incoming data. Henceforth, all traffic between the client application 54 and the application server, per sequence step 1300, is understood to take place in accordance with the application native protocols. Because traffic is permitted on a per-user, per-application basis, allocating the cost of the satellite links to specific providers of the client application 54 and/or the application server 38 is possible.

Although in the illustrated example the authorization is to connect to the application server 38, this is by way of example only. The application server 38 may specify another server node instead, so that the firewall 40 limits the Internet connectivity for the client application 54 to connect to such alternative server. The presently contemplated system is understood to allow for the application and service providers to fine tune secondary and tertiary servers that are utilized for load balancing and other purposes. This is possible without reliance on whitelists and other broad-swath access definitions that are difficult to update and maintain. The flexibility of the system is envisioned to result in better service to the user, at a lower cost to the application and service providers.

The foregoing sequence illustrated in conjunction with FIG. 3A is understood to require a minimal amount of time. Preferably, the data exchange taking place from initial request to authorization takes place within a few seconds and in the background, so the user is unaware of the procedure described above. To the user, the use of the client application 54 appears no different than when connecting to a home WLAN network, or to a cellular network.

FIG. 3B illustrates an alternative to the API-based system implementation described above. The application provider is provided with flight details of all aircraft within participating airline fleets as those flight events occur. Specifically, the connectivity manager 60 provides such flight details in accordance with a sequence step 1104. However, the application provider is not provided with presence attributes of individual PEDs 18. The application provider may request a firewall exception to any flight at any time during that flight in anticipation that one or more PEDs 18 may attempt to reach that application 54 at some point during that flight. This may take place in accordance with a sequence step 1106.

Instead of opening the firewall hole to precisely the right device at precisely the right time, this implementation opens the firewall hole to a large number of devices over a longer period of time. In further detail, the remote connectivity manager 60 communicates with the access controller 40 to make this request per sequence step 1108. Prior to the application provider/application server 54 being permitted to make such a request, the application provider may register its own URL and any supporting URLs as needed by the application with the remote connectivity manager 60 in accordance with a sequence step 1101. The client application 54 resident on the PED 18 is understood to operate in a manner consistent with terrestrial Internet connectivity, for example, as it would before and after the flight while traveling to/from the airport.

As shown in FIG. 3B, the system may alert the passenger 17 of the opportunity to utilize the application via a Beacon notification per sequence step 1110, which in turn provides an alert to the passenger 17 in accordance with a sequence step 1111. However, many passengers 17 may not have enabled their personal device to receive beacon notifications. Of course, the passenger 17 can choose to open the client application for any number of reasons, as depicted in a sequence step 1113. For example, the crew could make a PA announcement, or provide an advertisement within the IFE system. All traffic between the PED 18 and the application server 38, per sequence step 1300, is understood to take place in accordance with the application native protocols. At the end of the flight, the connectivity manager 60 may close the connection/flight in accordance with a sequence step 1400. The common thread in any implementation of this embodiment is that a higher uptake rate may be achieved by soliciting connections rather than only authorizing connections as they are attempted.

Referring now to the block diagram of FIG. 4A, the passenger PED 18 a connects to the onboard WLAN access point 22 a, and accesses the Internet 36 via the onboard connectivity manager 58 and the remote connectivity manager 60. Additionally, when not onboard the aircraft 10, the user can access the Internet 36 by various conventional modalities, including a home network (which may also be a WiFi network), a work network, as well as a cellular (GSM) network. In accordance with various embodiments of the present disclosure, the transition between the Internet connection as authorized by the application server 38 as described above, and the conventional Internet connections may occur without user intervention, and without user notification.

The block diagram of FIG. 4B illustrates an alternative embodiment that incorporates an aircrew PED 18 b, as well as an IFE terminal that can utilize the disclosed system for implementing firewall exceptions. The aircrew PED 18 b is understood to function similarly to the above-described passenger PED 18 a, in that while onboard the aircraft, a connection is made to the WLAN access point 22 a. During flight, the aircrew PED 18 b may likewise be authorized to connect to the Internet 36 via the onboard connectivity manager 58 and the remote connectivity manager 60. Similar to the passenger PED 18 a, the aircrew PED 18 b may also be connected to the Internet 36 via common access modalities such as work and home WLAN networks and GSM/cellular networks.

In addition to those uses that are common with the passenger PED 18 a, the aircrew PED 18 b may be utilized for crew messaging based on the Aircraft Communications Addressing and Reporting System (ACARS). The presence state 59 that is communicated from the onboard connectivity manager 58 to the remote connectivity manager 60 can include avionics data retrieved from the ARINC 429 bus, as one of the nodes connected thereto is the IFEC system 20. Furthermore, the presence state 59 may be provided to traditional ACARS ground destinations with conventional XMPP servers. The XMPP presence state 59 can carry text messages, so air and ground crew messaging, including all forms of ACARS messaging, can be supported.

The embodiment shown in FIG. 4B also contemplates the installation of the client application 54 on a seatback display, e.g., the terminal unit 42 of the IFEC system 20. In some cases, the client application 54 may be limited to communicating with local services such as an IFE application server 66, though it is also understood to be connectible to the application server 38 that is remote from the aircraft 10.

A wide variety of applications, including travel-oriented as well as more general ones, are envisioned to benefit from the provider authorized (and subsidized) Internet connectivity. One exemplary application particularly suitable for air travel is viewing connecting flight departure gate information during flight. This information may be presented via the IFEC system 20 on the seatback display 44, on a cabin overhead monitor, or on the PED 18. Beacons deployed within the airport may provide a further level of assistance by guiding the traveler to the desired gate. Obtaining connecting gate information on the PED 18 during flight is possible with the presently contemplated system, as the airline may authorize access to the data source therefor prior to arrival. Additionally, once the passenger has disembarked from the aircraft 10, the Internet connection may be transitioned to a local WLAN network accessible within the airport terminal.

Another air travel specific application is duty free sales. The user, via the PED 18 or the terminal unit 42 of the IFEC system 20, may browse a catalog of available items during flight. The receipts of any purchases may be downloaded to the PED 18 during flight from the application server 38 via the authorized satellite-based Internet connection, and the item may be picked up upon landing at the airport following a presentation of the receipt. The receipt may include a QR code or other machine-readable code that verifies the purchase and the customer. The customer may also change onboard pre-order while browsing in the airport. Meal ordering, ground bases concierge services integrated with onboard flight attendants are other possible applications with tie-ins to functionality that can be accessed via the terminal unit of the IFEC system 20.

The data transmitted to the PED 18 in all of these example uses are understood to be conveyed via XMPP presence states, though it is possible to use other protocols such as HTTP within a browser by requesting the opening of a sideband channel as described above. Generally, a closer relationship between the airline-controlled IFEC system 20 and the client application 54 that are related thereto encourages wider adoption, and more extensive usage of the subscription-based Internet connectivity services.

As noted earlier, applications that are not tied to travel may also utilize provider authorized Internet connectivity. One example is sports updates, and the text-based messaging system disclosed herein is understood to be particularly suitable for sending updates when a game score changes or a play period ends. While major events such as the Super Bowl or the World Cup are of wide interest, typically most users would have little interest in the more minor events. As such, newsfeeds of the top 10 or top 100 games would not be efficient, and would be cumbersome for the user to navigate to find the event of interest. Accordingly, various embodiments of the present disclosure contemplate a text messaging type alert that may be communicated through the updates to the presence states. Receiving such updates may be desirable for dedicated fans, as passengers are otherwise disconnected from the rest of the world during the flight.

Yet another exemplary application is stock trading, as traders cannot afford to be offline when the market is moving. Although dedicated day traders and the like may subscribe to an in-flight Internet access service, most passengers would not be engaged in stock trading during the flight. Thus, updates similar in form to the aforementioned sports score updates are contemplated, where text-based updates/alerts are generated for a select number of stocks of interest. This application is understood to require minimal bandwidth.

With the numerous possible client applications that may be incorporated with selective Internet connectivity according to the various embodiments of the present disclosure, the usage data associated therewith may be leveraged in further refinement to the targeting of potential customers. In general, passengers on a flight are understood to fit a particularly desirable subset of the consumer population, since such passengers share common attributes such as the means to afford a ticket, and known destination and/or departure point. As described above, the presence state 59 of the PED 18 is one basis for the application server 38 to decide whether or not to open the firewall 40 therefor. According to another aspect of the present disclosure, additional details pertaining to the passenger, using a specific application, with a specific history of interaction with preflight and inflight services may also serve as a basis for the decision.

With reference to the block diagram of FIG. 5, again, the onboard and remote connectivity managers 58, 60, maintain the presence state 59 for the passenger PED 18 a (which may also be the terminal unit 42 of the IFEC system 20). The application server 38 may process the presence state 59 to determine whether the PED 18 is to be granted access to the onboard Internet connection, and provides an authorization depending on the outcome of that analysis. In addition to the presence state 59, however, the illustrated embodiment further contemplates a decision being made based on a passenger profile 68 associated with the PED 18.

By way of example only and not of limitation, the passenger profile 68 may include the home city, country, area code of the passenger. Additionally, the passenger profile 68 may include frequent flier status/category, connecting flights, and ticket reservations. The passenger's past interactions 69 with particular inflight services on current or past flights may be captured and maintained in the passenger profile 68. The level of detail of the passenger profile data depends on the specific needs of the airline, and may be varied.

In granting connectivity to the PED 18, the application server 38 may have access to the presence state 59 and the passenger profile 68, with the decision being made by the application server 38. However, if there are multiple parties that may be interested in offering connectivity in exchange for an opportunity to market to the passenger, a bidding engine 70 that allows the airline to consider multiple offers may be utilized. The bidding engine 70 is understood to have several operating modes, including restricting connectivity to the highest bidder, offering connectivity for a fixed price, and subsidizing connectivity. In each of these modes, the bidding engine 70 generates an offer 72 of the application server 38, and the application server 38 responds with a bid 74. The bidding engine 70 considers the bid 74, and grants 76 the bid to the winner. At this point, the application server 38 may be provided with the identity of the PED 18 requesting the connection.

An exemplary scenario that helps illustrate these operating modes is where the passenger profile 68 indicates a strong possibility of the passenger needing to book a hotel room at the destination of the flight. This may be based on recent IFEC system 20 and/or PED 18 activity history of the passenger viewing hotel-related content. In the operating mode in which the connectivity is restricted to the highest bidder, there may be multiple hotel booking sites (e.g., Hotels.com and Expedia.com). The offer 72 transmitted from the bidding engine 70 to the respective application servers 38 of these sites may indicate exclusivity that the highest bidder will be the only hotel booking site that will be allowed. In the bid 74, one site specifies $1, while the other site specifies $2. The bidding engine 70 receives these two bids, and provides the identity of the PED 18 requesting connectivity to the winning $2 bid in the grant 76.

It is understood that if the user was browsing the hotel booking sites via the web, there would be no notification thereto that an Internet connection was opened, particularly one that was paid for by a sponsor. In such case, the value of the exclusivity may be diminished, so web browsing is generally considered a low value application. It may be possible to highlight terms within the displayed content that pertain to the winning application server 38. If a hotel booking service client application were installed on the PED 18, it may be possible to generate an alert thereon that there is connectivity.

In the operating mode in which connectivity is offered for a fixed price, continuing with the example of the passenger profile 68 indicating a likelihood of the user needing to book a hotel, the bidding engine 70 may offer connectivity for ten cents each to a dozen hotel booking related sites. Another example is the bidding engine 70 offering connectivity to the passenger for $5 to a slot machine gambling provider. The bid 74 in the context of this operating mode and these examples are understood to be a positive acknowledgement by the application server 38 as to the proposed terms, after which point the identity of the PED 18 requesting connectivity is passed to the application server 38 by the bidding engine 70.

With respect to subsidizing the connectivity operating mode, there may be situations where the airline has reasons for preferring specific application servers 38. The offer 72 in such case is understood to be free of charge, and may include an indication of the entity paying for the Internet connectivity, which may be the airline, or the provider of the client application 54/application server 38.

The operating mode of the bidding engine 70 can be switched midflight, or may be changed dynamically based on an analysis of the available passenger profiles 68. With these operating modes, application providers may apply more complex business rules when responding to an opportunity to enable in-flight Internet connectivity to requesting PEDs 18 and IFEC system terminal units 42.

The particulars shown herein are by way of example only for purposes of illustrative discussion, and are presented in the cause of providing what is believed to be the most useful and readily understood description of the principles and conceptual aspects of the various embodiments of the system for dynamically implementing firewall exceptions set forth in the present disclosure. In this regard, no attempt is made to show any more detail than is necessary for a fundamental understanding of the different features of the various embodiments, the description taken with the drawings making apparent to those skilled in the art how these may be implemented in practice. 

What is claimed is:
 1. An in-flight entertainment and communications system on which an onboard connectivity manager is implemented, the onboard connectivity manager cooperating with a network gateway to remotely, from a remote connectivity manager, permit data traffic between a client node and an upstream network, the onboard connectivity manager comprising: a network access control interface in communication with the network gateway, to which the client node is connected, the data traffic originating from the client node to the upstream network, and destined to the client node from the upstream network being selectively passed through the network gateway as at least partially designated via a gateway authorization provided to the network access control interface prior to any data traffic from the client node being passed to the upstream network; and a client node presence manager cooperating with the network access control interface and the remote connectivity manager, the client node presence manager maintaining a dynamically updated presence state of the client node, and the presence state being passed to the remote connectivity manager for evaluation of a connection authorization specific to and based on the current presence state of the client node against independent criteria therefor established with the remote connectivity manager; wherein the connection authorization is received by the client node presence manager, with the gateway authorization to the network access control interface being based on the connection authorization.
 2. The in-flight entertainment and communications system of claim 1, wherein the remote connectivity manager is connected to a remote application service that dynamically defines one or more conditions relating to the presence state of the client node for the evaluation of the connection authorization by the remote connectivity manager.
 3. The in-flight entertainment and communications system of claim 1, wherein the client node presence manager is connected to a client node application that requests a data communications link to the upstream network.
 4. The in-flight entertainment and communications system of claim 1, wherein the upstream network is a satellite communications-based Internet connection.
 5. The in-flight entertainment and communications system of claim 1, wherein transmission of the presence state from the client node presence manager to the remote connectivity manager is independent of transmissions between the client node and the upstream network.
 6. The in-flight entertainment and communications system of claim 1, wherein: the client node is connected to a local network on an aircraft; and the upstream network is a satellite communications-based Internet connection; and the presence state includes one or more data elements, and the one or more data elements being selected from a group consisting of: an airline identifier associated with the aircraft, a flight identifier of a flight to which the aircraft is associated, a destination identifier of the flight, an origin identifier of the flight, an arrival time corresponding to the flight, the departure time corresponding to the flight, a real time network connectivity status for the client node, a private network address assignment for the client node, a network connectivity pre-purchase status for the client node, a passenger service class designator, and a beam load of the satellite communications link.
 7. The in-flight entertainment and communications system of claim 2, further comprising: a user profile associated with the presence state of the client node; a bidding engine cooperating with the remote connectivity manager, a connection offer being generated in relation to the user profile and the presence state, the bidding engine being receptive to a connection bid from the remote application service in response to the connection offer; wherein an acceptance of the connection bid generates the connection authorization for the client node.
 8. The in-flight entertainment and communications system of claim 1, wherein the connection authorization includes a remote node identification corresponding to a remote node on the upstream network with which a particular one of the one or more client nodes is permitted to communicate.
 9. The in-flight entertainment and communications system of claim 8, wherein the remote node identification includes a remote node address and a remote node port definition.
 10. The in-flight entertainment and communications system of claim 6, wherein the onboard connectivity manager generates a request to open a sideband channel in the satellite communications link.
 11. The in-flight entertainment and communication system of claim 1, wherein presence states of a plurality of the one or more client devices are aggregated into a single transmission to the remote connectivity manager.
 12. The in-flight entertainment and communications system of claim 1, further comprising an air crew messaging server in communication with the remote connectivity manager, the presence state including one or more cabin crew messages that are related from the remote connectivity manager to the air crew messaging server upon receipt of the presence state.
 13. A method for dynamically implementing exceptions for a network firewall, the method comprising: deriving a presence state for a client device; transmitting, from an onboard connectivity manager to a remote connectivity manager, the presence state for the client device; receiving, on the onboard connectivity manager from the remote connectivity manager, a connection authorization generated by the remote connectivity manager in response to an evaluation of the current presence state for the client device matching one or more independent conditions preset by a remote application service connected to the remote connectivity manager; generating, in response to the connection authorization, a command to the network firewall corresponding to an exception pre-authorizing data traffic between the client device and the remote application service prior to and independent of originating any data traffic from the client device to the remote application service.
 14. The method of claim 13, wherein the client device is connected to a local network on an aircraft and the presence state includes one or more data elements, the one or more data elements being selected from a group consisting of: an airline identifier associated with the aircraft, a flight identifier of a flight to which the aircraft is associated, a destination identifier of the flight, an origin identifier of the flight, an arrival time corresponding to the flight, the departure time corresponding to the flight, a real time network connectivity status for the client device, a private network address assignment for the client device, a passenger service class designator, and a network connectivity pre-purchase status for the client device.
 15. The method of claim 13, wherein the data traffic between the client device and the remote application service is transmitted over a satellite communications link.
 16. The method of claim 15, wherein the transmitting of the presence state to the remote conductivity manager is independent of the data traffic between the client device and the remote application service.
 17. The method of claim 15, further comprising generating a request to open a sideband channel in the satellite communications link.
 18. The method of claim 13, wherein a user profile is associated with the present state of the client device.
 19. The method of claim 13, further comprising: receiving a connection bid from the remote application service; and generating, by a bidding engine, a connection offer to the client device in response to the connection bid.
 20. The method of claim 13, wherein the client device is connected to a local network on an aircraft. 